arXiv: 1505.02111v2 [cs.IT] 27 Mar 2016 


Manuscript submitted to 
AIMS’ Journals 

Volume X, Number OX, XX 20xx 


doi:10.3934/amc.xx.xx.xx 
pp. X-XX 


POWER DECODING REED SOLOMON CODES UP TO THE 

JOHNSON RADIUS 


Johan S. R. Nielsen 

Technical University of Denmark, 

Department of Applied Mathematics and Computer Science 
Denmark 


(Communicated by the associate editor name) 


Abstract. Power decoding, or “decoding using virtual interleaving” is a tech¬ 
nique for decoding Reed—Solomon codes up to the Sudan radius. Since the 
method’s inception, it has been an open question if it is possible to incorpo¬ 
rate “multiplicities”, the parameter allowing the Guruswami-Sudan algorithm 
to decode up to the Johnson radius. In this paper we show that this can be 
done, and describe how to efficiently solve the resulting key equations. As the 
original Power decoding, the proposed algorithm is a one-pass algorithm, where 
decoding follows immediately from solving a shift-register type equation. It is 
a partial decoding and will fail to return a codeword for a few received words; 
we investigate its failure behaviour theoretically as well as giving simulation 
results. This is an extended version where we also show how the method can 
be made faster using the re-encoding technique or a syndrome formulation. 


1. Introduction. Power decoding was originally proposed by Schmidt, Sidorenko 
and Bossert for low-rate Reed-Solomon codes (RS) [31]. Using shift-register synthe¬ 
sis techniques, the method can decode as many errors as the Sudan algorithm [40| . 
As opposed to Sudan’s list decoder. Power decoding is a one-pass algorithm where 
decoding is realised by solving a simultaneous shift-register problem; however. Power 
decoding always returns at most one codeword and will for a few received words 
simply fail. For random errors simulations indicate this occurs with only very small 
probability. 

The Sudan decoder generalises to the Guruswami-Sudan decoder na by intro¬ 
ducing the multiplicity parameter, improving the decoding radius for all rates and 
allowing it to decode up to the Johnson radius m- Since |31| , it has been an open 
question whether it is likewise possible to introduce a “multiplicity parameter” into 
Power decoding and thereby increase the decoding radius up to the Johnson radius. 

In this work we settle this question in the affirmative. The overall behaviour of 
the decoder is similar to Power decoding: 

1. The equations are of a generalised shift-register type, and no root-finding as 
in Guruswami-Sudan is necessary. 

2. The decoding radius becomes almost exactly that of the Guruswami-Sudan 
decoder (under the same choices of parameters). 


2010 Mathematics Subject Classification. Primary: TODO TODO; Secondary: TODO. 
Key words and phrases. TODO TODO TODO. 


1 



2 


JOHAN S. R. NIELSEN 


3. When a codeword is returned, it is always a closest codeword. The method 
will fail for a few error patterns whenever one decodes beyond half the mini¬ 
mum distance. 

Furthermore, we will show how to realise the decoder efficiently, yielding a com¬ 
plexity 0~{£‘^ sn), where uj is the exponent of matrix multiplication, and s, i are the 
multiplicity, respectively powering parameters of the decoder, and 0~(-) is big-O 
but ignoring log(ns^) factors. This is very close to the best known complexities 
0~{£‘^~^s^n) for the Guruswami-Sudan algorithm or the Wu list decoder [7]. 

We also investigate the failure behaviour of the proposed method. Though we 
do not settle the question of precisely how often Power decoding fails, we make 
some headway: we prove that the behaviour depends only on the error, and not the 
sent codeword, and we show that failure can only occur beyond half the minimum 
distance. We then give a closed upper bound on the probability for one choice of 
the algorithm’s parameters, (s,£) = (2,3). We also present simulation results that 
demonstrate a very small probability of failure for larger parameter choices. 

Compared to the two existing list decoders, the Guruswami-Sudan and the Wu al¬ 
gorithm, we believe the proposed algorithm is interesting for several reasons. Firstly, 
it is more practical since the decoder needs only a single sub-algorithm—of shift- 
register type—while the other two decoders are more involved. The Guruswami- 
Sudan algorithm consists of two steps: interpolation and root-finding. Interpolation 
is comparable to the computation in Power decoding (see next section), but root¬ 
finding is an additional, non-trivial step. E.g. in [1], a hardware implementation of 
Kdetter and Vardy’s soft-decision variant of Guruswami-Sudan has the critical path 
in the root-finding unit, and this also uses a significant area of the entire circuit. For 
hard-decision, a lower multiplicity would be more relevant, and then interpolation 
unit would be significantly simpler while the root-finding unit would not, causing 
the latter to occupy relatively more area and latency. Anecdotally, Broadcom also 
recently revealed interest in using joint decoding of Interleaved Reed-Solomon codes 
in a communication standard HU; here it was crucial that the decoder was a one- 
pass shift-register-based algorithm, based on |35| : a method that is computationally 
very related to Power decoding. 

Secondly, Power decoding has also been applied in settings where the list decoders 
have not been formulated, such as improved decoding of Interleaved RS codes |44| . 
and in compressed sensing , among others I2I1I21]- It is clear that the proposed 
extension of Power decoding immediately extends to decoding of Interleaved RS 
codes, but analysing the details is outside the scope of this paper. Examining this 
as well as the other applications are interesting avenues of future work. 

Lastly, Power decoding decodes beyond half-the-minimum distance without the 
use of interpolation at all. This is a rarity in algebraic decoding, and it demonstrates 
that interpolation is not necessary for decoding up to the Johnson radius; at least in 
the presence of random errors. This sheds new light on decoding of RS codes, and 
represents an important puzzle piece in relation to the two list-decoding algorithms. 

Parts of these results were presented at AGGT-14 |28| . 

1.1. Related Work. Power decoding was introduced in |36|: for low-rate RS codes, 
it was shown how one can compute generalised syndromes from “powering” the 
received word, and that these can be used for efficient decoding by solving a multi¬ 
sequence shift-register synthesis problem. One chooses a “powering degree” £: higher 
£ yields better decoding radius, but is admissible only for lower-rate codes. In |36| . 


POWER DECODING RS CODES 


3 


a bound on the failure probability was given for RS codes over binary extension 
fields when £ = 2, but a general conjecture was given based on simulations results. 
The failure behaviour was then further examined in m and m, where bounds on 
the failure probability were obtained over any field for i = 2 and i = 3. In a 
reformulation of Power decoding was given based on Gao’s decoder uni, and this 
was used to show that whether or not Power decoding fails depends only on the 
error pattern, and not the sent codeword. Power decoding has been applied in 
various other settings: for decoding Interleaved Reed-Solomon codes beyond the 
usual collaborative bound [H]; for improved decoding of Complex Reed-Solomon 
codes for use in Compressed Sensing [22] ; decoding of Hermitian codes [24] ; and for 
decoding CRT and Interleaved CRT codes |21| . 

The Guruswami-Sudan algorithm El is a polynomial-time list-decoding algo¬ 
rithm up to the Johnson radius J„ = n — yjn{k — 1) [15]. “List-decoding” means 
that the algorithm will return all codewords within the decoding radius. For the 
algorithm one chooses two parameters s,i € usually dubbed “the multiplicity” 
respectively “the list size”. They satisfy s < £, and they need to grow large for 
attaining the best decoding radius: for a decoding radius of J„ fc — en, one needs 
s,£ G 0(1/e) for any e G K.+ . See [23 p. 58] for an extreme numerical example. 

As noted already in [36], Power decoding is related to Guruswami-Sudan when 
s = 1 (also known as “Sudan decoding” after [40]): choosing the same value for i 
yields (almost) exactly the same decoding radius. Computationally, there are more 
similarities, as noted below. 

Guruswami-Sudan consists of two phases, usually dubbed “Interpolation” and 
“Root-finding”: first, one finds an “interpolation polynomial” Q{y) G Ffyjfy], and 
then one finds F[a:]-roots of it. Both phases have received a tremendous amount 
of attention with the aim of speeding them up, e.g. [2j|4ll3|8l|T9l[32l|46] ; see [7] for 
an overview on the literature for the Interpolation step. The best currently known 
complexities are 0~(£“'“^s^n) for Interpolation [7], and 0~{Psn) for Root finding, 
proposed in [2] with a tighter complexity analysis in [5]. Without the use of fast 
arithmetic, the best complexities are 0{i^s^n^) for Interpolation [46], respectively 
0{i^s^n^) for Root finding [32]. 

One approach for fast Interpolation in Guruswami-Sudan has been to formulate 
“Interpolation key equations”, as in [31] for the case s = 1, and [33 for tho general 
case. These are shift-register-type equations whose solution result in an interpola¬ 
tion polynomial. These are related to Power decoding: the generalised syndromes 
in [32] equal those of the original Power decoding [34]. However, the two sets of key 
equations are inherently different: the solution to the Power decoding equations 
yields the error locator, while no clear notion of an error locator is known for the 
Guruswami-Sudan algorithm. Similarly, the key equations that we derive in Sec¬ 
tion 13 bears a resemblance to the equations of |46| , and it is an interesting question 
what the algebraic relation between the two approaches is. 

Another avenue of research on fast Interpolation for Guruswami-Sudan is to 
apply Ffyj-lattice basis reduction to an explicit constructible F[a;]-matrix P1I31I51IT3] . 
This lattice depends on two polynomials, G and R (see page|3), which are also used 
in Gao’s minimum-distance decoding algorithm |10| . and which appear in both the 
Gao reformulation of Power decoding m and the algorithm we give here. Inspired 
by this line of research, lattice basis reduction was previously applied to solve the 
key equations of the original Power decoding |25[ . and we will solve the new Power 
decoding key equations by extending this approach. 




4 


JOHAN S. R. NIELSEN 


The Wu decoding algorithm [45] is an amalgamation between classical key equa¬ 
tion decoding [^ and the Guruswami-Sudan: one first attempts half-the-minimum 
distance decoding using the classical key equation (see the following section). If 
this fails, the polynomials computed in the failed attempt are then used to set up 
a problem solvable by an F(a;)-variant of the Guruswami-Sudan algorithm. One 
again needs Interpolation and Root-finding sub-algorithms which are similar to but 
slightly more involved than for Guruswami-Sudan; see e.g. |5j[71|42] for work on 
these. The best complexities for these steps equal those of the Guruswami-Sudan 
algorithm mm- However, from a practical perspective, the Wu algorithm is the 
more complicated to implement since one also needs classical key equation decod¬ 
ing, and since the F(a;)-variants of the sub-algorithms are technically more involved. 
The Wu algorithm is also a list-decoding algorithm, and also decodes up to Jn,k- 
Also here one needs to choose parameters s,£, whose growth relate to the decoding 
radius as in the Guruswami-Sudan algorithm |^. 

1.2. Organisation. In Section[^we give an introduction to the previous key equation- 
based decoding algorithms: half-the-minimum distance and Power decoding. In 
Section [S] we then derive the new key equations. These are non-linear relations 
between polynomials revealing the error, and we describe in Section |4] how to use 
them for obtaining an efficient decoding algorithm. We derive a decoding radius in 
Section [S] and relate it directly to that of the Guruswami-Sudan algorithm. Power 
decoding will fail on certain received words within this radius, however, and we 
investigate this in Section [51 In Section [7] we give simulation results. In Section |S] 
and Section 0 we investigate re-encoding respectively syndrome reformulations of 
the proposed key equations, providing practical - if not asymptotic - speedups to 
the decoder. 

The decoding method has been implemented in Sage v6.9 [39] and can be down¬ 
loaded from http://jsrn.dk/code-for-articles, together with the code for run¬ 
ning the simulation. 

2. Preliminaries and Existing Key Equations. In complexity discussions, we 
count arithmetic operations in the field F. We will use lo as the exponent for matrix 
multiplication, i.e. 2 < w < 3. We use 0~(-) as big-O but ignoring log-factors. In a 
few places we also use M(n) to denote the complexity of multiplying together two 
polynomials of degree at most n; we can trivially use M(n) £ 0{n?) or we can have 
M(n) G 0~{n), see e.g. [45] . 

2.1. GRS codes. Consider some finite field F. Choose n < |F| as well as distinct 
Oi,..., On £ F as well as non-zero (not necessarily distinct) ,..., /3„ £ F. For any 
/ £ F[a;] we write 

ev(/) = (/3i/(ai),..., Pnfian)) ■ 

The [u, fc, d] Generalised Reed-Solomon (GRS) code is the set 
C={ev(/) |/£F[a:], deg/< fc} . 

The ai are called evaluation points and the j3i column multipliers. C has minimum 
distance d = n — k + 1 and the code is therefore MDS. 

Consider now that some c = (ci,...,c„) was sent with c = ev(/) for some 
/ £ F[a:], and that r = (ri,...,'r„) = c -f e was the received word with error 
e = (ci,..., e„). Let £ = {i \ ei ^ 0} and e = \£\. 


POWER DECODING RS CODES 


5 


Note that column multipliers can be ignored in decoding: we simply compute 
r' = {ri/Pi,... ,rn/l3n) = c' + e', where c' is in the code C which has the same 
evaluation points ai but where all Pi = 1. e' is an error vector with the same 
number of errors as e. In the remainder of the article, we therefore assume /?, = 1. 
Introduce two essential polynomials, immediately computable by the receiver: 

n 

G = J^(a; — Oi) R : deg R<n, i?(ai) = r^, i = l,...,n. 

i=l 

G can be pre-computed, while R is computed upon receiving r using Lagrange 
interpolation. 

Key equation decoders revolve around the notion of an error locator A and error 
evaluator fl: 

A=n(2;-aj) n=-^eiCi n 

jeS ieS 

where (i = Note that e = deg A > degO. 

The following relation between the four polynomials are is at the heart of our 
investigations: 

Lemma 2.1. A(/ — R) = flG . 

Proof. The closed formula for Lagrange interpolation implies that f—R = ~GCi 
Uj). This directly means 

A{f-R) = AJ2 = E ) G = nG . 


The objects c, r,e,A, etc. introduced here will be used in the remainder of the 
article. 

2.2. Classical Key Equations. Let us revisit the key equation implicit in Gao’s 
decoder nni, which follows directly from Lemma |2.II 

AR = A/ mod G . (1) 

This is a non-linear equation in the unknowns A and /, and it is not immediately 
obvious how to build an efficient decoder around it. The good idea is to ignore the 
non-linear relation: we replace the sought quantities A and A/ with unknowns A 
and ifji both in F[a;], and such that 

XR = i/) mod G . 

This is now a linear relation, but unfortunately with infinitely many solutions. We 
further restrict the solutions by requiring 

deg A -I- fc — 1 > deg if . 

Note that this is satisfied if A is replaced by A and ip by A/. Finally, we seek such 
A, p! where A is monic and has minimal degree. The hope is now that A = A even 
though we solved for a much weaker relation than O; effectively, it is therefore the 
low degree of {AR mod G) which is used to solve for A. Solving such requirements 
for A and ip is sometimes known as rational function reconstruction |43| or Fade 
approximation [3]. They are easy to solve for in complexity 0{n^) or 0~{n), using 
e.g. the extended Euclidean algorithm [31 ITU1ITT] . 



6 


JOHAN S. R. NIELSEN 


It can be shown that whenever e < d/2 we get A = A and ip = ^/) see e.g. |1Q| . 
Then / = i^/A and decoding is finished. However, whenever e > (i/2, the approach 
will essentially never work. 

Whenever 0 is not an evaluation point, i.e. ai ^ 0 for all i, then the equation can 
be rewritten to the more classical syndrome key equation [6]. First some notation: 
for p g F[a;], let rev(p, d) denote the reversal of the coefficients of p at degree d, 
i.e. rev(p, d) = x‘^p{x~^) for some integer d > degp. To lighten the notation, we 
will often omit the (i-argument when there is an implied upper bound on the degree 
of the polynomial being reversed; to be precise, note that we then reverse on the 
upper bound on the degree, and not on the actual degree which might happen to be 
lower. 

Introduce S{x) as the power series expansioi|i| of rev(ii)/rev(G') truncated at 
Then by reversing Lemma I^T] at degree e + n — 1 we get: 

AR = Af-nG ^ 

rev(Ai?, e + n — 1) = rev(A/, e + k — l)x‘^~^ — rev(OG, e + u — 1) 
rev(A)rev(i?) = —rev(H)rev(G) mod . 

Since x f rev(G) this implies the well-known formula: 

rev(A)S' = -rev(H) mod . (2) 

A (now less obvious) algebraic relation exist between rev(A) and rev(H). To allow 
for efficient solving, we forget this relation, and replace rev(A) and —rev(O) by 
unknowns A and G, and solve for the minimal degree A satisfying 

XS = uj mod and 

deg A > deg ui . 

This time the modulus is a power of x] solving such an equation for A and ui is known 
as Fade approximations [3] or a linear feedback shift-register synthesis m Section 
6.7]. It can be solved in complexity 0{n'^) or 0~(n) using either the extended 
Euclidean algorithm or the Berlekamp-Massey algorithm. 

One can again show that this approach will succeed, i.e. in the end A = rev(A), 
whenever e < [(d — 1)/2J [^. Slightly stronger, one can show that the approach 
will succeed if and only if the Gao key equation approach succeeds |27| . 

2.3. Simply Powered Key Equations. Power decoding, or decoding by virtual 
interleaving [36], is a generalisation of (|T|) where not one but multiple non-linear 
relations between A and / are identified, essentially still based on Lemma [2T] The 
original formulation of |36| is based on the classical syndrome key equation, while 
powering the Gao key equation was described in [27]. We will begin with the latter: 

Lemma 2.2 (Simply Powered key equations). For any t € then 

Ai?‘ = Af mod G . 

Proof. By Lemma 12.11 we have 

Af = A{R -{R- /))* = AR* + A{R - /)(...) = Ai?‘ mod G . 

□ 


^By inserting the explicit Lagrange interpolation formula for i?, it is easy to see that this 
definition of the syndrome polynomial corresponds to the classical one, in e.g. 1311 Section 6.2]. 



POWER DECODING RS CODES 


7 


Again this gives non-linear relations between A and /. To solve them efficiently, 
we use only the first I of the equations, for some chosen and introduce unknowns 
A, i/^i,..., G F[a;]. We then solve for A, ipt such that A is monic and of minimal 
degree such that 

Ai?‘ = mod G , t = 1,..., £ and 

deg A > degi/it — t{k — 1) . 

Finally, we hope that the found A = A. In that case / = V'l/^ decoding is 
finished. 

Note that there is a natural upper bound on how £ should be chosen: when 
deg A -I- t{k — l)>n then any choice of A will satisfy the t’th key equation simply by 
setting tpt = (Ai? mod G), and so those equations will not further restrict A. That 
gives the rough bound I < n/{k — 1). 

By regarding the linearised problem as a linear system of equations, and counting 
available coefficients versus constraints, one arrives at an expression for the greatest 
number of errors we should expect to be decodable: 

^<j^n-\£{k-l)-j^. (3) 

This argument does not imply that we will necessarily succeed when the bound is 
satisfied: the constructed system might have spurious “false solutions” that degree 
less than or equal to that of A. In such rare cases decoding might fail for fewer 
errors than ([3]). Bounding the probability that this occurs has proven difficult. We 
now know upper bounds when £ = 2.3 [271136]. and Schmidt, Sidorenko, and Bossert 
posed a conjecture, backed by simulation, on the probability in general |36| . 

From ([3]) we can determine the value of £ that maximise the decoding radius. 
Whenever k/n > 1/3, one should simply choose £ = 1, i.e. classical key equa¬ 
tion decoding. Thus Power decoding is only useful for low-rate codes. Note that 
(O is almost the same bound as the Sudan decoding algorithm [301, which is the 
Guruswami-Sudan algorithm with multiplicity 1. 

Power decoding was originally described using a syndrome formulation instead 
of ([31) [331 : we restrict ourselves to the case where 0 is not an evaluation point, 
and we define as the power series expansion of rev(i?(*^)/rev(G) truncated at 
where is the unique polynomial of degree less than n such that 
mod G. Then it follows from Lemma 12.21 by the same rewriting as in 
Section 1221 [27|, that: 

rev(A)5(*) =-rev(L!t) mod (4) 

where Oj are certain polynomials of degree at most e — 1 that we omit defining 
explicitly. It can be shown using the same rewriting that Power syndrome decoding 
fails if and only if Power Gao decoding fails Ezj. 

For the Gao formulation, the linearised problem to solve is sometimes known as 
vector rational function reconstruction m, and for the syndrome formulation as 
simultaneous Pade approximation [3] or multi-sequence shift-register synthesis |36| . 
Iterative algorithms with 0{£n'^) complexity can be found in [25l[36l[38]. 0~{£‘^n) 
algorithms are in [25ll37j . while the recent [29] gives an 0~{£‘^~^n) algorithm. 

The approach in [25] is based on computing reduced bases of carefully selected 
Fjx] modules. What we describe in Section|3]to solve the new Powered key equations 
is a generalisation of this approach. 



8 


JOHAN S. R. NIELSEN 


3. New Key Equations. In this section we describe the main result of the paper, 
namely a new generalisation of Power decoding where we introduce a second pa¬ 
rameter, the multiplicity. The resulting relations will again be non-linear in A and 
/, and we will employ a similar linearisation strategy. We will see in Section |4] how 
the linear problem can be solved efficiently using a lattice basis reduction approach. 
The generalised key equations are described in the following theorem: 

Theorem 3.1. For any s,£ S with i> s, then 

AV* = ^ Q fort = l,...,s-l, 

A7* = ^ Qi?*-*G*^ mod G" for t = s,... . 

Proof. We simply rewrite 

A7* = A"(i?-h(/-i?))‘ 

i=0 

If t < s then A®(/ — i?)® = A®“®II®G* for each i by Lemma [2.11 This finishes the 
first part of the theorem. 

If t > s then for i = s,...,£, the summand equals (*)due to 
Lemma I^TTl which is 0 modulo G'*. Replacing A®(/ — i?)* by A®“*II®G® for i < s as 
before gives the sought. □ 

The above theorem describes £ equations in the unknowns A®, A®“^n,..., Af2®“^ 
as well as A'*/,..., A®/^. These are “key equations” in the following sense: the 
inner product of the first set of unknowns with a vector of known polynomials (the 
(*)i?‘“*G*) have surprisingly low degree ~ either immediately or reduced modulo 
G® - since it is the degree of A®/L 

As with the previous key equation decoding algorithms described in Section [21 
we perform the following linearisation to make the problem of finding A and / 
tractable: 

Problem. Find a vector (Aq, ... A^-i, ■i/'i,..., 7) ^ F[a;]®“*"^ with Aq monic and such 
that the following requirements are satisfied: 

la) i’t = '^K ■ , fort = l,...,s-l 

lb) V't = modG®, fort = s,...,i 

2) degAo > deg Ai-I-i , for i = 1,... ,s - 1 

3) degAo > degV't - t(A: - 1) , for t = 1,... ,£ . 

Clearly A = (A®, A®“^n,..., AII®”^, A®/,..., A®/^) satisfies these requirements, 
but there are unfortunately infinitely many other vectors satisfying them. We will 
therefore seek the one of least degree, i.e. where deg Aq is minimal; the hope is then 
that this vector is A. In that case, decoding will be completed simply by computing 
/ = V'l/Ao- 


POWER DECODING RS CODES 


9 


Note that as in the simpler Power decoding of Section [27^ the above linearisation 
implies a rough bound for the choices of £, namely that i < sn/(k — 1). For if 
t > sn/{k — 1), then item 3 imposes no restrictions as long as degt/jt < sn. But 
we can always choose a (j)t with degijjt < sn and which satisfies the only other 
requirement on 0^, namely lb. Thus setting i > sn/{k — 1) would impose no 
further restrictions on the \i than would £ = \sn/{k — 1)] — 1. 

Remark 1. The shape of the above equations bears a tantalising resemblance to 
certain approaches for solving the Interpolation phase in the Guruswami-Sudan 
algorithm: the F[a;]-lattice characterisation as in [4j[2^, and the (intermediate) 
Interpolation key equations as in |461 Eqn. (31)]. However, the Guruswami-Sudan 
algorithm has, a priori, nothing to do with the error locator, and the algebraic 
connection between the two sets of key equations is unclear. For instance, it is not 
known if one can easily obtain the error locator from an interpolation polynomial 
or vice versa. 

Remark 2. The original Power decoding can be described by analogy with decod¬ 
ing of certain Interleaved RS codes [36]. It would be interesting to find a similar- 
analogue for the key equations of Theorem 13.11 


4. Solving the Key Equations. We will now show how one can use F[a;]-lattice 
basis reduction to find a minimal solution to Problem [31 This approach is very 
closely related to that of [^ for solving the powered key equations of Section 12.31 
This, in turn, lends much from the Grobner basis description for classical key equa¬ 
tion solving by Fitzpatrick |3|. 

To solve ProblemjS] consider first M as the space of vectors (Aq, ... Ag-i, V'li ■ • ■; '^e) € 
F[a;]®“''^ just satisfying requirements la and lb. Clearly A £ M.. It turns out that 
A1 is a free F[a;] module and in fact we know a basis for it: 


Proposition 1. A4 = Row]f[ 2 ,](M), i.e. A4 is the Flx]-row space ofM G 
where 


M = 


^SXS 

N 


0(f-s-|-l)x(s-l) 1 G'®I(^_s+l)x(^-s-|-l) 


where N £ is the matrix whose (i,t)th entry is 


N[i,t] 



(,_i)GZ-ij^od G®, 

* = 1,..., s and t = 1,..., 

that is, 

■ R 


R®-i 

R^ 



G 

2RG 

.. (s- l)i?®-2G 

£R^-^G 


N = 

0 

G2 

.. (®2^)i?®-3G2 

... {^R^-^G 

mod G 


0 

0 

G®-i 

... (,!Jrg®-\ 



Proof. Let rrij denote the jth row of M To show M D Row][r[ 3 ,](M), simply note 
that each ruj is in At: for j < s then rrij corresponds in the equations of la and 
lb to setting Ai = 0 for all i ^ j — 1, Xj-i = 1, as well as -ipt = 
ioi t = 0,... ,£. This clearly leaves them satisfied. For j > s, rrij corresponds to 
setting Ai = 04 = 0 for all i and for t j — I, and 'ipj-i = G® = 0 mod G®. 










10 


JOHAN S. R. NIELSEN 


Now for M C Row][r[a;](M), leading to equality. For any v = (Aq, ... As-i, '0i,..., G 
A4 then the vector v' = K-im-i agrees with v in the first 2s — 1 positions. 

For the remaining positions h = 2s,..., s + £ of v', the position is congruent to tph-s 
modulo G®. Therefore there exists qs, ■ ■ ■, qe & such that v = 'U^ + X]i=s+i 
and thus C RowF[a;](M). □ 

To find a minimal solution to Problem |31 we should therefore seek a vector 
u = (Ao,... As_i, V”!, ■■■,'4’e) G Row][r[ 2 ,](M) such that: 

1. deg Ao > deg Ai + i 

2. deg Ao + - 1) > deg V't 

3. deg Aq is minimal under these constraints and Aq is monic. 

These goals turn out to be achievable by finding another matrix whose rows 
span A4 but which is in weak Popov form. This form was introduced by Mulders 
and Storjohann in |23| as a slightly stronger form than row reduced [TBl p. 380], 
but which exactly allows to argue about restrictions such as the degree inequalities 
above. The rows of a matrix in weak Popov form are also a Grobner basis for the 
module M for the term-over-position ordering; however we will stay with the matrix 
language in this exposition. Our strategy is very similar to finding short vectors in 
modules by computing a row reduced basis, see e.g. [431 Problem 16.12]. In this 
settings, shifts as we will use have also been considered, see e.g. [48] . 

Definition 4.1. The leading position of a non-zero vector v G FJx]™, written LP(u), 
is the right-most entry in v with maximal degree among the entries of u. A matrix 
V G is in weak Popov form if the leading positions of the non-zero rows 

are all different. 

The following is an easy generalisation of [231 Lemma 8.1], and also appears 
in [25]; we give the short proof here for completeness. 

Proposition 2. Let V G be a basis in weak Popov form of a module 

V. Any non-zero 6 G V satisfies degu < degb where v is the row of V with 
LP{v) = LP(b). If a leading position is not represented by a row in V, then no 
vector in V has that leading position. 

Proof. Let tt G V be non-zero, and so there exists oi,..., G F[a;] not all zero such 
that u = where the Vi are the rows of V. The Vi all have different leading 

position, so the aiVi also have different leading position among those i where ai 0. 
Note that for any two Ui,U 2 with LP(mi) ^ LP(m 2 ), then Ui -\- U 2 has the same 
degree and leading position of either Ui or U 2 . Applied inductively, that implies 
that there is an i such that LP(m) = LP{aiVi) and degn = deg(aiUi) > degu^. □ 

The above proposition means that if R is a basis in weak Popov form of some 
module V, then the rows of V have minimal degree for each possible leading position. 

So we can use the weak Popov form to find small-degree vectors which has the 
greatest degree polynomial on a specific index. Our degree restrictions single out 
Aq as somehow “leading”, but under integral shifts, e.g. of the form deg Xo-\-t{k — l) > 
degtjjf We will handle these shifts by incorporating them directly into the module. 

First, we introduce non-negative variables poi ■ • ■ i Ps-hVi^ •. •, % G Nq as 


po = 1 + — 1) = i-\- i[k — 1), * > 0 r]t = {i — t){k — 1), Vf . (5) 


POWER DECODING RS CODES 


11 


Our degree restrictions now read 

degAo + ^0 > degAj +i = ( 6 ) 

degAo+ Mo > degV't+ ? 7 t, t = (7) 

Notice that a vector v = (Aq, ..., As_i, i/ii,..., ijji) satisfies these degree restrictions 
if and only if LP(uZ?) = 1, where 

D . (8) 

Consider therefore the module M = {vD \ v G -M}, spanned by the rows of 
M = MD. We arrive at: 

Corollary 1. Let B = BD be a basis of M and in weak Popov form, and let v 
be the row of B with leading position 1. Then (Aq, ..., As_i, ipi ,..., ipi) = 'yvD~^ 
constitutes a solution to Problem n such that deg Aq is minimal, where 7 G F* is 
chosen such that Aq is monic. 

Proof. Note that v is well defined since is a square, full-rank matrix in weak 
Popov form and therefore must have a row of leading position 1. By Proposition [21 
V must have minimal degree among vectors in A4 with leading position 1. The above 
discussion then implies that {Xq, ..., satisfies the degree constraints 

of Problem |3l and that Aq has minimal degree among the first term of vectors 
satisfying these constraints. This vector also satishes the congruence constraint of 
Problem [3] since it is in . □ 

Note that any basis of A4 seen as a matrix must be F[a:]-divisible on the right by 
D. So to find a B satisfying Corollary [T1 we need only compute B M such that 
B is in weak Popov form. By ^ we mean left unimodular equivalence, i.e. A ^ B 
for two A,B€ if there exists an invertible matrix U G such 

that A = UB. The F[a;] row spaces of matrices A and B are the same if and only 
HA^B. 

The complete decoding algorithm, with the weak Popov form computation as a 
black box, is given as Algorithm [1] 

Proposition 3. Algorithm]^ is correct. 

Proof. For any codeword c G C, there is an associated error e = r — c and thus error 
locator A and error evaluator Cl. These satisfy Theorem 13.II and therefore induce a 
solution to Problem |3l The first component of this solution is A®. 

By Corollary [H the (Aq, ..., A^-i, tfi,..., ift) computed in Line 2] is a solution 
to Problem |3| where the first component Aq has minimal degree. No codeword can 
therefore have distance less than degAo/s from r, since it would induce a solution 
to Problem |3| with smaller degree than degAg on the first component. 

If fail is not returned in Line [5] then the computed / satisfies deg/ < k, since 
degifi < degAg + {k — 1). Thus ev(/) G C. Since ev(/) is only returned if its 
distance to r is exactly degAg/s, this must be a codeword of minimal distance to 
r. □ 

Algorithm [T] leaves unspecified how to compute B, i.e. how to compute a basis of 
A4 in weak Popov form. Since we are initially given a different basis of A4, namely 
M, the problem is that of finding a matrix which is unimodular equivalent to M 
but in weak Popov form. This problem is well-studied in computer algebra, and 
several algorithms exist which solve this problem directly wm or through a related 



12 


JOHAN S. R. NIELSEN 


Algorithm 1 Efficient Power Decoding with Multiplicities 
Input: r G F”, s,£ G Z-|-. 

Output: c G C such that dist(c, r) is minimal among codewords in C, or fail 

1 Compute R such that R{ai) = Vi. 

2 Construct M as in Proposition [5] and M = MD, where D is as in ([5]). 

3 Compute B in weak Popov form such that B ^ M. 

4 Let V be the row of B with LP(f}) = 1. Let (Aq, ..., A^-i, V'li ■ • ■) '4’t) — 'yvD~^, 
with 7 G F* such that Aq is monic. 

5 If Aq divides tpi, let f = tjji/Xo. Otherwise fail. 

6 If dist(r, ev(/)) = degAg/s then return ev(/). Otherwise fail. 


form |lll[T^[Mll48| . Recall that in complexity bounds, uj denotes the exponent of 
matrix multiplication and M(n) the cost of multiplying together two polynomials 
of degree at most n. Then we have: 

Proposition 4. Given a matrix A G there exists an algorithm to com¬ 
pute a matrix B G in weak Popov form and B A in complexity 

0~(m‘^M(deg A)) as well as one for computing it in complexity 0{m^ deg A^) 
where m = max(mi,m 2 ). 

Corollary 2. Algorithm Q] can be implemented with asymptotic complexity either 
0~{i‘^sn) or 0{£^s^n^). 

Proof. G* can be precomputed for i = 1,..., s. Computing R can be done in 
0(M(n)) using Lagrange interpolation, see e.g. |481 p. 297]. We compute all i?* 
mod G® for i = 1,..., £ in time 0{isM{n)). Constructing M then requires 0{t^) 
elements that are scalings of the product of two known polynomials of degree at 
most sn, requiring 0(£^M(sn)). Clearly, the remaining lines apart from Line[3]are 
cheaper. We have degM G 0{sn) since £{k — 1) < sn. Thus the complexities 
for executing line Line [3| given by Proposition |4| dominates, whether or not a fast 
polynomial multiplication algorithm is used (i.e. whether setting M(A) = 0~{N) or 
M{N) = N^). □ 


4.1. A Puuctured Module by Iguoriug Error-Evaluators. It is possible to 
obtain a smaller matrix than M which will provide us with equally good decoding 
performance. This results in a faster decoding algorithm, though the asymptotic 
complexity remains unchanged. A second benefit of the optimisation is that it makes 
it easier for us to reason on the decoding radius of the algorithm in Section [S] 

The optimisation is based on two observations: Firstly, for decoding we do not 
need to know Ai,..., As since the later steps of the algorithm only uses Aq and ipo- 
Secondly, in the failure probability bound that we derive in Section [S] (for s = 2 and 
£ = 3) the degree restrictions deg Aq > deg Xi i are not used, and thus perhaps 
they have little influence on the failure probability in general. 

In the lattice view, this means that we can simply delete columns 2 to s in both 
M and in D. Bringing this smaller matrix MD G to weak Popov 

form will still solve for the remaining conditions. As a result, we obtain a vector 
(Aq, hopefully equal to (A®, A®/,..., A®/^). 





POWER DECODING RS CODES 


13 


Note that the punctured matrix M takes the form: 


1 

R 




R^ 

0 

G 

2RG 

.. (s-l)i?"-2G 

sR^-^G 

iR^-^G 

0 

0 



QR*-2G2 

... Qr^-^g 

0 

0 

0 

G®-i 

sRG"-i 

... i/,)RG^-^ 



0(^- 

-s-|-l)xs 

G«I(,_ 

-s-|-l)x(f-s+l) 


That is, M is a square, upper-diagonal matrix of full rank. 

It is theoretically not clear whether working with M instead of M could result 
in an increased failure probability. However simulations indicate this is not the 
case. Also, as already mentioned, the failure probability bound derived in Section |6] 
applies for when working with M. 


5. Decoding Radius. We are now in a position to discuss how many errors the 
method will usually cope with. When calling this a “decoding radius” we need to be 
wary: indeed, the method will fail for certain received words whenever the number of 
errors is at least d/2, and this is unavoidable since it is a unique decoding algorithm. 
Therefore, “decoding radius” really involves two parts: 1) how many errors should 
we at most expect to be able to correct; and 2) what is the probability that we will 
fail within this number of errors. 

Perhaps not surprisingly, the latter question is much more difficult than the 
former. In this section we will derive an upper bound on error correction. In 
the next section we discuss the failure behaviour when fewer errors than this has 
occurred. 

The decoding radius upper bound that we will derive is based on bringing MD 
from Section 14.11 to weak Popov form. Recall that what we are essentially doing is 
finding the lowest degree vector in Row][r[ 2 ,](M£>) which has first position as leading. 
The outcome of imposing the leading position requirement is sensitively dependent 
on the module A4, but bounding the size of the lowest degree vector overall is easy: 

Proposition 5. A vector v = (Aq, V'l) ■ • ■ such that vD is a minimal degree 
vector in Row]f[ 2 ;](MZI) satisfies 


s 2(£+1) 2s^ ^ s(£+l)- 


If e > Tpow{s,i) then deg A > degAp/s. 


(9) 


Proof. Let i? be a matrix such that BD is in weak Popov form and unimodular 
equivalent to MD. Recall that D = diag(x''“ , ,..., x'^‘). 

We know from Proposition [5] that since M is square then for any leading position, 
BD contains a vector of minimal degree in Row][r[ 3 ,](MZ)) for that leading position, 
and therefore it also contains a row with minimal degree overall, i.e. with the same 
degree as vD. Now, it is easy to see that since BD is in weak Popov form, then 
degdet(Rid) = Yff/Xi degbi, where bi are the rows of BD (see e.g. [161 P- 384] since 
weak Popov form implies row reduced). Thus, not all the bi can have degree greater 
than degdet{BD), and so this bounds the degree of vD. 












14 


JOHAN S. R. NIELSEN 


Clearly det B = det M. Since M is an upper-diagonal matrix, we can therefore 
easily compute its determinant: 

deg det M = deg G*') = {s£ - (0)n . 

Also deg det £> = /jq -I- Vt = (fc — 1) + 1- Thus we have 
degAo + Mo < deg{vD) 

< Q) )n -I- (A: - 1) -I- l) , 

which rewrites into the sought bound. □ 

When solving the key equations, we will seek a minimal degree vector in Row^j^,] (MD) 
which has leading position 1. We are then hoping that the first element of this vec¬ 
tor equals A®. Since the minimal degree vector overall in the row space might not 
have leading position 1, the above corollary doesn’t quite state that we will surely 
fail in decoding when e > Tpow(s,-^) However, it is natural to suspect that most 
likely, the minimal degree vector with leading position 1 has degree quite close to 
the minimal degree overall. Therefore, we might expect to fail. This intuition is 
also backed by simulation, see Section [71 

We can relate Tpow(s,-^) to something very well known: 


Corollary 3. Denote the maximal decoding radius of the Guruswami-Sudan algo¬ 
rithm on C with multiplicity s and list size £ by tgs{s,£)- Then 


, 2£-S + l £ n 

rasis.t) = - 1 ) = 


(see e.g. Lemma 9.5]). 


Taken over all s and £, the decoding radius of Guruswami-Sudan describes a curve 
J{n,d) = n — y/n{n — d), often called the Johnson radius after [T^. For any integer 
T < J{n,d) there exists infinitely many choices of s,£ such that r = [TGs(Sif^)J- 
Thus, by Corollary [31 Power decoding is similarly bounded by the Johnson radius. 
The corollary even tells us more: if we choose exactly the same s and £ as in the 
Guruswami-Sudan, then Power decoding will decode up to the same radius or at 
most 1 less. 

For the Guruswami-Sudan, good, closed-form expressions for small s and £ given 
the code and r can be found in [751 P- 53]. These therefore immediately apply to 
Power decoding as well. 


6. Failure Behaviour. We will move on to investigate how Power decoding fails 
when at most Tpow(s,f?) errors occur. There are two ways in which Algorithm [T] 
can give an unwanted answer: firstly, the algorithm can return fail; or secondly, the 
algorithm can return a different codeword than the sent one. For a specific sent 
codeword c and received word r, we say that Power decoding fails if one of the two 
following conditions are satisfied: 

1. Algorithm [T] returns fail. 

2. There exists c! c' ^ c, and such that dist(r, d) < dist(r, c). 

Recall that when Algorithm [T] does not return fail, it always returns a codeword of 
minimal distance to the received. So if neither of the above conditions are satisfied. 
Algorithm [T] returns the correct answer. Contrarily, if only item 2 above is satisfied 
and dist(r,c') = dist(r,c), and c might still be correctly returned. This, however. 





POWER DECODING RS CODES 


15 


depends rather arbitrarily on exactly which matrix B is computed by the weak 
Popov form algorithm. For the sake of a cleaner definition, we therefore consider 
this possibility as a failure as well. 

We will begin with showing that the error vector alone determines whether the 
method succeeds. This drastically simplifies further examinations on the failure 
behaviour. It allows us first to show the—quite expected—property that the method 
never fails when fewer than d/2 errors occur. Secondly, it allows us to give a closed 
upper bound on the failure probability when {s,£) = (2,3). Lastly, we discuss the 
relation between Power decoding failing and having multiple close codewords to the 
received word. 


Proposition 6. Power decoding succeeds for some received word r if and only if it 
succeeds for r + c where c is any codeword. 


Proof. If Power decoding fails for r as received word, this is because there exist 
Aq, ..., As_i, i/ji,...,'0^ € F[a;] which solve Problem [31 and where Aq ^ A® and 
degAo < deg A®. Assume this is the case. Let R be the Lagrange interpolant 
corresponding to r + c as received word, i.e. R = R + f where / = ev“^(c) and 
deg f < k. We will show that there exist ifi,... ,ifi € F[a;] such that the Ai ,ipt form 
a solution to Problem [3] for R in place of R. Therefore, Power decoding will also 
fail for r + c as received word. 

Consider for t = the following expansion: 


min(t,s —1) 

^ Ai ■ 


2=0 



min(i,s—1) . . /t—i 

= s fe 

i^O ^ ^ \^=0 

t min(t —/ 2 ,s —1) 

= E/'‘ E ^ 

h—0 i—0 


t — i 
h 


R 




r G* 


A ft — i 


Ri 


t — i — h 


G*. 


Note now that (*) = (1) (* j^). Therefore, the above equals 



min(t—1) 

E 

i=0 


A,; 


t — h 


R 


't—i—h 


G* 



where we by “=” mean = when t < s and congruent modulo G® when t > s. We set 
Ipt as the last expression above. By hypothesis, degipt-h — {t — h){k — 1) < degAo. 
Since deg / < k we therefore get tpt — t{k — 1) < deg A. 

This means the A,, ipt indeed form a solution to Problem [3] for R, as we set out 
to prove. 

The proved implication can immediately be applied in the other direction since 
—c is a codeword, showing the bi-implication. □ 


We now prove that Power decoding always succeeds in half-the-minimum distance 
decoding. The proof is surprisingly technical since we need to keep a handle on the 
key equations simultaneously. 


16 


JOHAN S. R. NIELSEN 


Proposition 7. If fewer than d/2 errors occur, then Power decoding succeeds. 

Proof. By Proposition [51 we can assume that 0 was sent. By Lemma [2.11 we then 
have R = — flT, where T = G/A. 

Assume contrary to the proposition that Power decoding has failed. That means 
there exists (Ao,..., As-i, V'lj ■ • ■ i '4’t) which solve Problem |3l and where Aq 7 ^ A® 
and deg Aq < deg A®. We will inductively establish P{t) for t = 0,..., s — 1, where 
P{t) is the assertion 

P{t) : I Xi and ips-i =0 for z = 0,..., t . 

For t = s — 1, P{t) implies A® | Aq, which contradicts the minimality of Aq, finishing 
the proof. 

For the case P(0), we need to prove that A | Aq and ips = 0. Consider the s’th 
key equation of Problem [3] which is satisfied by the Ai and ips: 

Aii?®-*G* mod G® . (10) 

T® divides each term of the summand, as well as the modulus G®, and so it must 
divide ips- However, we have 

deg 'tps < deg Aq + s(fc — 1) < se + s(fc — 1) < s{n — e) , 

where the last inequality holds since 2e < n — k + 1. Thus ips = 0- 

Returning to (flOl) . we can then conclude A | AqR® , since A divides every other 
term in the sum as well as the modulus. This implies A | Aq since gcd(A, R) = 1. 

For the inductive step, assuming P{t — 1) we will prove P{t) for 1 < t < s. 
Consider now the (s — t)’th key equation, i.e. 

i=0 ^ ' 

Similar to before, T®“‘ divides every term of the sum, so it divides ips-t- By 
P{t - 1) then A*-* | A* for f = 0,..., t - 1, and therefore A* \ A*i?®-*-*GL This 
implies A* | ips-t and hence T®“*A‘ | ips-t- But now we have 

degips-t < deg Ao + (s - t){k - 1 ) < se + (s - t){k - 1 ) < (s - t){n - e) + te , 

which means ipa-t = 0 . 

It remains to show that A‘+^“® | Ai for z = 0,..., t — 1. For j = 1,..., t, multiply 
the (s — j)’th key equation with R^ and relax it to a congruence modulo G®. We 
obtain t + 1 homogeneous linear equations in XiR^~'^G'^ of the form: 

min(s-l,s-J) , 

0= )(Ai?®“*G*) modG®, j = 0,...,t. 

i=o V * / 

Subtracting the jth equation from the (j — l)st for j = 1 ,... ,t, we eliminate Aq 
and get 

0 = ^ (^^":[)(A.i?®-*G*) modG®, J = l,...,t. 


POWER DECODING RS CODES 


17 


This can be continued to get a series of equation systems, that is, for t' = 1,..., t, 
we have a system: 

0 = £ modG% 

i—t' ^ ^ 

For t' = t, the system (which is one equation) implies that | since 

divides all the sum’s other terms and the modulus, and this implies A | A^. We 
can now go to the t' = f — 1 system and regard any of the two equations, and we 
conclude similarly that A*+^ | since A*+^ now is seen to divide all 

other terms of the sum as well as the modulus. This implies A^ | At_i. Continuing 
with decreasing t' we can iteratively conclude A*+^“‘ | A^/. 

This finishes the induction step, establishing P{t) for t = 0,..., s — 1. As men¬ 
tioned, this implies a contradiction, finishing the proof. □ 

We are now in a position to bound the probability that Power decoding fails if 
errors of a given weight are drawn uniformly at random, for the case (s, i) = (2, 3). 
Note that by Proposition [5l then 

Tpow(2, 3) = - ^(/c - 1) - g , 

so these parameters allow the decoder to improve upon both half-the-minimum 
distance and the original Power decoding whenever the rate is between 1/6 and 1/2, 
for long enough codes. 

Proposition 8 . Let q = |F|. Whenever d/2 < e < tpow( 2,3), the prohahility that 
Power decoding fails is upper hounded by 

I 4 (^- 8 ^ (-Pow(2,3)-.)-(0.29./log,-l/4) _ 4(^ _ 4 ) 

I 4(^-1) ('^+3('=-l))/5-F log 10 /log 9+1) _ 4(^ _ 4) 

Proof. By Proposition [ 6 l we can consider the probability over the choice of error 
vector, and simply bound the failure probability when the sent codeword was 0 . 
Since we know by Proposition [3 that the failure probability is zero when e < d/2, 
then we can also assume e > d/ 2 . 

Fix now the number of errors e and error positions £, implying a specific A. For 
a given error e = r with these non-zero positions, we will call r, or R, “bad” if for 
R there exist Xi,'ift solving Problem [3] and such that Aq A® while degAo < deg A®. 
Consequently, Power decoding fails only for bad error-values. Denote by S'a C F[x] 
the set of bad R. We will give an upper bound N on the size of S'a and so N/{q — iy 
bounds the probability that for the fixed error positions, Power decoding fails (since 
for each position, we have q — 1 choices of an error value). N will turn out to be 
independent of the choice of A, and thus N/{q — 1)® is a bound on the probability 
that Power decoding fails for any error of weight e. 

By assumption, the following equations are satisfied: 

f/i = XqR -f AiG , 

^2 = XqR/^ + 2Aii?G mod G^ , 

^3 = XqR? + 3Aii?^G mod G^ . 

Since R{ai) = 0 whenever f ^ S, then T | R where T = G/A. Thus the above 
implies T | and | ift for t = 2,3. Furthermore, we can conclude that 


18 


JOHAN S. R. NIELSEN 


g = gcd('!/'t, A) is the same for all t, since g = gcd(Ao, A). The regular form of the 
above three equations allows eliminating Aq and obtain: 

1/^2 — R^’i = Ai i?G mod , 
tps — i?V '2 = Aimod G^ . 


From this we first note that G | ('02 — R4’i)- We will use this fact momentarily. 
With the two above equations we continue to eliminate Ai and rewrite: 


03 - R’4^2 - ^(02 - -R0i) = 0 
i?^01 — 2i?02 + 03 = 0 
R^i^l - 2i?0l02 + 0103 = 0 
(i?01 - 02)^ + 0103 = 02 


mod G^ 
mod G^ 
mod G^ 
mod G^ . 


But we concluded just before that G 
This leaves the simple relation 


(i? 0 i — 02 ) so (i? 0 i — 02 )^ = 0 mod G^. 


0 I = 0103 mod G^ 

0 |T = '0103 mod A^ , ( 11 ) 

where 0t = and is a polynomial by our earlier observations. Thus, 

whenever R is bad, there is a triple (0i,02,03) G F[a;] satisfying the above relation 
as well as 

deg 0 t < dt = 2e + t{k — 1 ) — min( 2 , t){n — e) . ( 12 ) 

We will count the number of such triples momentarily. However, to thusly bound the 
number of bad error values, we have to determine how many different R could have 
the same triple. Recall that determining R up to congruence modulo A suffices, 
since this determines the error values. However, by our previous observation we 
have 


i?0i = 02 mod G 
i?0i = 02 T mod A 

i? = (' 02 T/ 5 )(' 0 i/g)"^ mod A/g . 

This means that for a given triple (0t)t, having gcd(0t,A) = g, there can be at 
most possible choices of R. 

To bound the number of bad error values N for this given A, we will therefore 
perform a weighted count of all triples satisfying (HD and m, where a triple is 
counted with weight where 5 is a divisor of A dividing all the 


S|A 


g I 04 , deg' 0 t < dt, T' 0 | = ' 0 i '03 mod A^| 
deg'0t <dt- degg, T0| = ' 0 i 03 mod (A/g)^| 


Let Tg be the set inside the last sum. We use Lemma 10 (see below) to upper 
bound iTgl, for any choice of g: setting A = {K/gY, B = T and Kt = dt — degg in 
that lemma, we get 







POWER DECODING RS CODES 


19 


where 7 = 5e — (3n — 4(fc — 1)). This is only dependent on the degree of g. For each 
choice of degg, we can select g in ways since g \ A. For the case 7 > 0, this 

gives us: 



since 8e — (5n — 6(fc — 1) — 3) = 8(e — tpow(2, 3)). 

This can now be simplified. Firstly X]t=Q = (4 + 1)*^. Secondly, 7 < e, as 

can be seen as follows: since e < rpow(2,3) then 4e < |n- — 3(fc — 1). Inserting in 
the expression for 7 , we get that 7 < e — {n/2 — (k — 1)). But since we assumed 
d/2 < rpow(2,3) then fc — 1 < n/2 which means 7 < e. Therefore: 

N < g<=+ 8 (<=-^Pow( 2 . 3 ))- 2 ^Q£ (7 > 0) . 

For the case 7 < 0, we instead get 

N < g4£-(2n-2(fe-l)) + l^Q£ (7 < 0) . 

Since 7 < 0 then 5e < 3n — 4(A: — 1), so 3e < |n — — 1), and therefore 

4e - (2n - 2(A: - 1)) + 1 < e - (d + 3(fc - l))/5 + 1 . 

That means 

N < (^ < 0 ) . 

As previously described N/{q — 1)*^ then becomes a bound on the probability of 
decoding failure. The term then appears, but ^ ^ 2^. Finally, 

lO'^ = (g- 8 )-£logl 0 /( 81 og 9 ) log 10/8 < 0.29. □ 

Lemma 6.1. Let A,B£ F[a;] with gcd(A,i?) = 1, and Ki < K 2 < £ Z+, 

as well as q = |F|. Let S denote the set of triples {fi, f 2 , fs) G F[a;]^ such that 
S/I = / 1/3 mod A, while deg ft < AT* o.nd /2 is monic. Then 

where 7 = max(Ari + ATg, 2 K 2 + degS) — deg A. 

Proof. Consider first 7 < 0 in which case S/| = / 1 / 3 . We can choose /2 in q^^~^ 
ways. The prime divisors of S/| should then be distributed among fi and fs, which 
can be done in ways. Finally, the leading coefficient of fi can be chosen in 

<7 — 1 ways. 

Consider now 7 > 0. We choose again first /2 in one of q^^~^ ways. Then / 1/3 
must be in the set {Bf^ + pA \ p £ F[a;],degp < 7 }, having cardinality at most 
^ 7+1 Pqj. Qf these choices of / 1 / 3 , we can again choose fi and /s in at most 
(g - l)2^i+^3 ways. □ 

The bound of Proposition [ 8 ] demonstrates a rapid, exponential decrease in the 
probability of failure as the number of errors decrease away from Tp'ow(2,3). The 
bound only becomes non-trivial a few errors below rpow(2,3), due to the term 
0.29e/log g — 1/4 in the exponent. For instance, fora [32,9] code over GF(32), then 
'rpow(2, 3) = 13, but the exponent to g“® in the failure probability bound is only 
positive for e < 12. Such a penalty is not observed in simulations, however, and 
seems to be an artefact of our proof. For the [32,9] code, decoding succeeds almost 
always with 13 errors (see next section). Similarly, for a [256, 63] code over GF(256), 
the proposition is only non-trivial for e < 108 while in simulations, decoding works 
almost always up to [rpow(2,3)J = 112 . 


20 


JOHAN S. R. NIELSEN 


Nevertheless, in an asymptotic and relative sense, Proposition [ 8 ] guarantees that 
decoding up to rpow(2,3) almost always succeeds: 

Corollary 4. When s = 2 and £ = 3, with n —> oo while keeping q/n, k/n and e/n 
constant, the probability that Power decoding fails goes to 0 when tjn < tpow(2, 

Proof. Consider the high-error failure probability of Proposition [5] 

4(g-8)(-rpow(2,3)-e)-(0.29£/log 9 - 1 / 4 ) ^ ^j'^-8n^5-0.29£/(ri log ij)-|-l/(4n) 

where 8 = Tpow(2, 3)/n — e/n. Asymptotically 8 approaches some positive constant. 
The failure probability therefore approaches 0. The low-error probability case is 
similar. □ 

6.1. Failure Behaviour in Relation to List Decoding. It is natural to ask 
if the failure behaviour of Power decoding is linked to whether or not there are 
multiple codewords close to the received word, i.e. the list of codewords that e.g. the 
Guruswami-Sudan algorithm would return. There seems, however, to be no clear 
relation like this, as we explain below. 

Consider that c € C was sent and r was received. Suppose Power decoding has a 
decoding radius of t, and that we have a list decoder of the same decoding radius. 
Consider that c' S C is another codeword such that either c or c' is closest to r. 
Then there are the following possibilities: 

1 . dist(c, r) = dist(c', r) < t 

2. dist(c',r) < dist(c, r) < r 

3. dist(c, r) < dist(c',r) < r 

4. dist(c, r) < r < dist(c',r) 

5. dist(c',r) < r < dist(c, r) 

6 . r < dist(c, r), dist(c', r) 

Clearly, both Power decoding and the list decoder will fail in recovering c in 
Item [S] and Item [51 In Items 1-4, the list decoder guarantees to recover c on a list, 
though for Item 1-3 that list will have length at least 2. 

For Power decoding it is less clear-cut. Firstly, for Items I and 2, then Power 
decoding “fails” according to the definition given at the beginning of Section [5] 
Indeed, for Items 2, then Power decoding guarantees to return c' or fail. For Item 
I, however, then Algorithm [1] might be lucky and find c, but in all likelihood v 
becomes a random linear combination of the solution vectors corresponding to c 
and c', and Line [4] therefore returns fail. For Items 3 and 4, then Power decoding 
will probably obtain c, but it might fail in either case. That is, whether there is 
only one codeword within radius r or not, then Power decoding might succeed or it 
might fail. 

That might be surprising at first, so we give examples of these cases. Consider 
C to be the [23, 7 ]cf{ 23 ) GRS code with ai = i — 1 and /3i = 1 for f = 1, ..., 23. For 
this code, rpow(2, 3) = 9. As an example for Item 3 where Power decoding succeeds, 
consider the following vectors: 

C3 = (16 15 20 20 3 0 18 0 19 16 2 11 11 3 9 18 5 0 0 0 5 0 16) G C , 
rg = (16 0 20 20 0 0 18 0 19 0 2 11 0 0 0 0 5 0 0 0 5 0 0 ) . 

Then 8 = dist(r 3 , Cg) < dist(r 3 , 0) = r = 9. So a list decoder with decoding radius 
9 would obtain the list [0, Cg]. Power decoding returns Cg. An example for Item 4 
where Power decoding fails, even though there is only one nearby codeword, 0, is 


POWER DECODING RS CODES 


21 


[n, /c]f 

{sj) 

'^Pow 

^’/(pPowJ 1) 

( L'Tow J ) 

-f/(PPowJ + 1) 

N 

[24, 7]gf(25) 

(2,4) 

10 

0 

6.800 X 10“® 

1 - 5.8 X 10-® 

10® 

[32, 9]gf(32) 

(2,3) 

133 

0 

0 

1-4.20X 10"^ 

10® 

[22, 3]gf(23) 

(6,18) 

14 

4.350 X lO-'^ 

1.414 X 10-2 

1 

10® 

[64, 29](5p’(64) 

(4,5) 

19 

0 

0 

1 

10® 

[68, 31](5p’(7i) 

(3,4) 

20 

0 

0 

1 

10® 

[125,51]gf(i25) 

(4,6) 

42 

0 

0 

1 

10® 

[256, 63]gf(256) 

(2,4) 

116| 

0 

0 

1-3.00X 10-4 

10® 


Table 1. Simulation results. Pfir) denotes the observed proba¬ 
bility of decoding failure (no result or wrong result) with random 
errors of weight exactly r. 


the following received word: 

r4 = (0 291006000500000048 15 00 12). 

That example was found by random generation of error vectors of weight 9, after 
roughly 47 000 successful decoding trials. As an aside, the failure probability bound 
of Proposition [5] yields a number greater than 1 for this code, parameters and 
number of errors. 

7. Simulation Results. The proposed decoding algorithm has been implemented 
in Sage v6.9 [39], and is available for download at http: / /jsrn. dk/code-for-art ides. 
The implementation uses the punctured module described in Section 14.11 and com¬ 
putes the weak Popov form using the Mulders-Storjohann algorithm |55|. The 
asymptotic complexity of the implementation is therefore 0{£^s^n^). 

To evaluate the failure probability, we have selected a range of code and decoding 
parameters and run the algorithm for a large number of random errors. More 
precisely, for each set of parameters, and each decoding radius r, we have created 
N random errors of weight exactly t and attempted to decode a received word 
r = c -I- e for some randomly chosen c (though, of course. Proposition [HI implies 
that shifting by c makes no difference). We have limited the decoding radii used to 
being [tpow(s,^)J + {—1,0,1}. N was either 10^ or 10® for a given parameter set. 

The results are listed as Table [T] 

As is evident, Tpow(s, £) very clearly describes the number of errors we can rely on 
correcting: the probability of failing appears to decay exponentially with Tpow(s, i) — 
e, as we might expect if extrapolating from the bound of Proposition [B] In fact, the 
failure probability is so low that it is difficult to observe failing cases for randomly 
selected errors. 

The case having the highest failure rate is the very low-rate code [22,3]gf(23)- 
For such a low-rate code, Tpow(s,-^) is quite close to the minimum distance, and 
there is a significant probability that a random error will yield a received codeword 
which is closer to another received word. In this case. Power decoding always fails. 

We performed another simulation for this code with 10"^ random errors of weight 
exactly 14 and decoding using the Guruswami-Sudan list decoder. This simulation 
had a 1.23 x 10“^ probability that another codeword was as close or closer to the 
sent codeword. Thus most of the Power decoding failures stem from this. 



22 


JOHAN S. R. NIELSEN 


8. Re-Encoding. “Re-Encoding” is a simple technique invented by Kotter and 
Vardy, originally for reducing the complexity of the interpolation step in the Guruswami- 
Sudan algorithm |18| . It is especially powerful when using different multiplici¬ 
ties at each point, such as in the Kotter-Vardy soft-decision decoding version of 
Guruswami-Sudan m- For the regular Guruswami-Sudan, and in usual asymp¬ 
totic analysis where k/n is considered a constant, re-encoding does not change the 
asymptotic cost; however, it can have a significant practical impact on the run¬ 
ning time, especially for higher-rate codes. We will now show that the re-encoding 
transformation easily applies to Power decoding as well. 

Consider that f is the received word. Using Lagrange interpolation, we can 
easily compute the unique c = ev(/) € C such that c and f coincide on the first 
k positions. Clearly, decoding r = r — c immediately gives a decoding of f. The 
idea of re-encoding is that the leading k zeroes of the resulting r might be utilised 
in the decoding procedure to reduce the computation cost of decoding r. 

Assume therefore for this section that r is the received word after re-encoding 
and therefore has k leading zeroes. That means G \ R where G = 

Consider the linearised key equations of Problem [31 Each of them are now divisible 
by and so we obtain: 

la) V't/G* = , fort=l,...,s-l 

16) V't/G" = mod (G/G)" , for t = s,..., £ . 

The elements and Rt-zQZQ-vain{s,t) polynomials, but of 

much lower degree than before. Thus, we can solve for and ipt directly, being a 
system of fewer variables. The degree restriction on '0t becomes 

deg Ao -I- t{k — 1) — min(s, t)k > deg '0t . 

Note that re-encoding will not change the failure behaviour: by Proposition [31 
the re-encoded equations before dividing through by C™™!®.*) will have solutions 
in one-to-one correspondence with those of the original equations. After dividing 
through by this is still true. 

8.1. Solving the Re-Encoded Eqnations. We solve these key equations exactly 
in the same way as before: construct an F[a;]-matrix whose row space contains all so¬ 
lutions to the congruences (Aq, ..., As_i, ipi,..., ipf), and we find the sought minimal 
solution as a lowest weighted-degree vector in this row space with Aq monic. We then 
hope that this vector equals v = (A®,..., f /G, ..., A®/®/G®,..., A^/^/G®), 

where / is the information polynomial after re-encoding has been applied. 

In the matrix M of Proposition[Tl this is reflected as dividing by ^i^i-ough 

each column for t = s + 1, ...,£ + s, obtaining AI of reduced degree. 

To find a minimal weighted-degree vector in the row space of M, we again mul¬ 
tiply on the right by an appropriately selected diagonal matrix D containing only 
powers of x. Explicitly, we introduce non-negative variables G 

po = 1 + — 1) — sklii = i £{k — 1) — sfc, i > Ofjt = {£ — t){k — 1) — {s — min(s, t))k 

Then we select D = diag(x^“,..., , x ^^,..., x^^). 


POWER DECODING RS CODES 


23 


We then compute B unimodular equivalent to M and such that BD is in weak 
Popov form. If we are fortunate, vD will be the lowest-degree row in BD having 
leading position on the first position. From this, we get A'’ and Af /G^, and so we 
can calculate /. Finally, the original information related to the original received 
word r is then / + /. 

According to Proposition |4] the complexity of finding such BD depends quasi- 
linearly on deg{MD)-. 

deg{MD) < s{n — k) + {£ — s)k < 2s{n — k) , 

where the last inequality comes from the general assumption that £k < sn that 
we mentioned in Section |4l Thus, the complexity of finding B becomes 0~{{£ + 
s)‘^s{n — k)). In standard asymptotic analyses, we assume k £ Q(n), in which case 
this equals 0~{{£ + s)‘^sn). However, in practice, the re-encoding technique should 
give a noticeable speedup. As a last remark, note that the puncturing proposed in 
Section HT] applies equally well to the re-encoded module, yielding the complexity 
0~{£^s{n — k)). 


9. Syndrome Key Equations. As described in Section [2 the first key equation 
decoding algorithm was based on the notion of syndrome polynomial [ 6 ], and simi¬ 
larly, Power decoding without multiplicities was first described using a similar list of 
key equations [36]. The key equations of Theorem 13.II can similarly be rewritten to 
be based on syndrome polynomials, which we will show in this section. As is usual 
for syndrome-formulated key equations, we will assume that 0 is not used as an 
evaluation point. Therefore x \ G. Furthermore, due to a non-essential technicality, 
we will assume s < n. If this did not hold, the following analysis of parameters 
would be slightly more complicated but not impossible. 

Recall the reversal operator rev(p, d) which we defined in Section [211 Define for 
a given value of the multiplicity s the following variants of the powered Lagrange 
interpolant R as well as a generalised notion of syndrome: 


A QS-Z 


^ rev(R(-'*)) 
rev(G)'’“* 


Note the degree that the reversal-operator on uses: ii t — i < s — i 

then so the degree upper bound is (t — i)(n — 1 ). lit — i>s — i 

then deg > deg since we have assumed s < n, and therefore deg < 
(s — i)n — I. 

If s = 1 then equals the classical syndrome polynomial S which we used 

in Section 1221 and 5 '^’*) equals the syndromes discussed in Section [27^ The 
syndromes also appear (with a slightly different definition) in the Interpolation key 
equations for Guruswami-Sudan by Centner et al. |46| . 

We can then formulate the—markedly more involved—syndrome variant of The¬ 
orem [3lll 



24 


JOHAN S. R. NIELSEN 


Theorem 9.1. For any s,£ G Z+ with i > s, then there exist gt G F[a;] for t = 
s,..., £ such that 




= 0 mod 




t 

rev(A"-*f2*) 

i=0 



= 9t 


mod 


fort = s,...,i , 


where 


deg5t < 
Qt = 

— 


es — s if t = s 

es — 1 if t > s 

t{n — k) if t < s 

sn — t{k — 1) — 1 otherwise 

0 if t = s 
i if t > s 


Proof. We need to distinguish between two cases: t < s and t > s. Assume first 
t < s. Since = R*~\ Theorem 13.II srives us 


E*=o (A*-W)((‘)i?(®>*)G®) =A7* 

es + t(n-l)) = rev(AV‘, es + t(n - 1)) , 


where es + t(n — 1) arise from counting the degree upper bound on the left-hand 
side. Every term in the sum has the same degree bound, so we get 


Yi=o rev(A"-®n®)((‘)rev(i?(®'*))rev(G)®) = rev{A^ 

Yi=o rev(A«-®n®)((‘)rev(i?(®'*))rev(G)®) = 0 mod 

ELo rev(A"-®f2®)((‘)5(®’‘)) = 0 mod x^""'®) , 


where the last line follows from rev(G)® being invertible modulo xd’®”'®). This 
concludes the case t < s. 

For the case t > s, we proceed similarly. In the congruence of Theorem 13.11 we 
can readily replace with i?(®’*)G® modulo G®. This gives us: 

A®/* = ^ Q i?(®’*)G®^ mod G® ^ 

A®/* + rev(gt)G" = ^ (A®-®fI®) , 


for some rev(g() G F[x]. The degree of the right-hand side is bounded as 


max I (s — i)e -I- i(e — 1) -I- deg _(- jTjj < 

i '' 


se + s(n — 1) if t = s 
se -I- sn — 1 if t > s 


This immediately bounds deg^t as the theorem states. Note that the above equals 
Pt -|- se -|- t{k — 1) in all cases. We can now reverse the equation as in the previous 
case. When t > s then the degree bound on the summands are not all the same, so 


POWER DECODING RS CODES 


25 


we must add powers of x in the reversed expression: 

s-l 

rev' ‘ ° 


+ <?trev(G)" = ^ rev(A*-*f]0 ( 

i=0 ^ 

gtrev(G)" = ^ rev(A*-*0*) Q rev(i?(*>*))rev(G)*a;''^'‘^ 
gt = Yu rev(A*-*f7*) Q mod a;^‘ . 


mod x^* 


□ 


Remark 3. Just as we remarked that the key equations of Theorem 13.11 resemble 
certain characterisations of Interpolation polynomials in Guruswami-Sudan, so does 
the above syndrome formulation resemble the syndrome Interpolation key equations 
of [5S]. Again, the deeper relation between the error locator approach and the 
Guruswami-Sudan is unclear. 


Theorem inm leads to a decoding algorithm in the very same way as Theorem 13.II 
We could call these algorithms “Power syndromes” and “Power Gao” respectively. 
We have the following important remark: 

Corollary 5. Decoding using Power Gao succeeds if and only if decoding using 
Power syndromes succeeds. 

Proof. This follows easily by the same transformation as in the proof of Theorem l9.ll 
a solution to the linearised key equations of Power Gao induces a solution to the 
linearised key equations of Power syndromes, and vice versa. □ 


Thus the two decoding algorithms have exactly the same decoding performance. 


9.1. Solving the Syndrome Equations. To use the key equations of Theorem l9.ll 
for decoding, we again proceed in a manner similar to that of Section|4l we linearise 
the problem by forgetting the algebraic connection between the rev(A®“®0®) and gt. 

The problem then becomes finding v = (rev(A®), rev(A®“^n),..., rev(Afl®“^), 0,..., 0, t/s,..., 
as the, hopefully, lowest weighted-degree vector in the row space of an explicit F[a;]- 
matrix, Mgy^: a problem we can solve by applying lattice basis reduction techniques. 

We will not go through all the details as in Section 2] since the technique is so similar. 

Msyn e becomes 


^SXS 

1- 

c 

Ofxs 

diag(a;^G ■ • ■ 


where Nsyn € F[a;]'*^^ is the matrix whose (j,t)th entry is 

A^Syn[*,i] ^ ^ i = 1,. ..,s and t = 1,... ,i . 

To find a low weighted-degree vector in the row space of Msyn, we again transform 
MsynDsyn into weak Popov form, where iJsyn is an appropriately chosen diagonal 
matrix, containing only powers of x. Dgyn should be chosen such that the degrees 
of the entries of the sought solution vDsyn all have roughly the same degrees while 






26 


JOHAN S. R. NIELSEN 


retaining LP(t;£)syn) = 1- To handle the first 0 entries, we simply use a large weight. 
Explicitly, we can select: 




t—s times 


s —1 times 


We then compute Bsyn unimodular equivalent to Msyn and such that BsynDsyn 
is in weak Popov form. If we are fortunate, riDsyn will be the lowest-degree row in 
BsynDsyn having leading position on the first position, up to an F-multiple. From 
this, we immediately get A and O, and so we can calculate / using e.g. Lemma l2.II 

Similarly to the re-encoding case in Section |51 the cost of computing Ssyn seems 
to be lower than minimising MD directly, but not asymptotically so. In particu¬ 
lar, the asymptotic complexity has quasi-linear dependence on deg(MsynT)syn) S 
0{s{n — k)). This is similar to when using the re-encoding technique of Section [5] 
However, the puncturing of the module done in Section 14.11 cannot be replicated 
for Power syndrome since that would result in an over-defined basis of the result¬ 
ing punctured module (the punctured matrix would have more rows than columns). 
This in turn would drastically reduce the decoding radius. Thus, the Power syn¬ 
drome variant must reduce an (s -I- matrix, while Power Gao, with or without 
re-encoding, reduces an {£ + 1)^ matrix. On the other hand, it might be possible 
that the s — 1 zero-remainder congruences of Power syndrome could be handled in 
a faster manner than described here. Without a much hner analysis and concrete 
choices of algorithms for computing the weak Popov form, we cannot conclude which 
algorithm will be fastest and by how much. 

10. Conclusion. We demonstrated how the Power decoding technique for Reed- 
Solomon codes can be augmented with a new parameter—the multiplicity—to attain 
the Johnson decoding radius M- The resulting decoder is, as the original Power 
decoding algorithm of Schmidt, Sidorenko and Bossert [36], a partial decoder which 
fails for a few received words within its decoding radius. We showed how one can 
efficiently solve the resulting key equations using lattice basis reduction techniques 
to obtain a complexity close to the fastest realisation of the Guruswami-Sudan or 
Wu list decoding algorithms [l^, namely 0~{£‘^sn). 

The proposed decoder has applications as a simpler alternative to the Guruswami- 
Sudan algorithm—especially for hardware implementations—due to its simple one- 
step shift-register type structure. In particular, for medium rate codes. Power de¬ 
coding with a low multiplicity of 2 or 3 would not be much more complicated to 
implement than half-the-minimum distance decoding while still offering a signifi¬ 
cant improvement in decoding performance. For such parameters, the root-finding 
step of the Guruswami-Sudan algorithm would have a significant circuit area and 
latency. 

The exact failure behaviour of the decoding method remains largely open. For 
s = 1, i.e. the original Power decoding, the failure probability has previously been 
bounded only for £ = 2,3. The case s > 1 seems no easier to analyse: Proposition [51 
simplifies the equations one needs to analyse, and this was instrumental in the case 
for which we were able to bound the failure probability: {s,£) = (2,3). For these 
parameters, the decoding radius improves upon the case s = 1 whenever the rate 
is within ]l/6; l/2[. The remaining open questions on the failure probability were 
counterbalanced by simulations on a range of codes: this demonstrates a failure 
probability which seems to decay exponentially as the number of errors is reduced. 




POWER DECODING RS CODES 


27 


Power decoding has already been applied for various related codes, e.g. improved 
decoding of Interleaved RS codes [33] and Complex RS codes jUj . It is clear that 
the proposed addition of multiplicities can aid those applications as well, and this 
is an interesting avenue of future work. Another interesting question is to extend 
Power decoding to soft-decision decoding, similar to Kotter-Vardy’s variant of the 
Guruswami-Sudan algorithm m- 

We also discussed two variants of the decoding method which reduces the cost in 
practice: re-encoding and a syndrome formulation. Either method roughly replaces 
the complexity dependency on n with n — k. More detailed analysis, and concrete 
choices of basis reduction algorithms is necessary to determine which one is fastest 
in practice. 

11. Acknowledgements. The author would like to thank Vladimir Sidorenko, 
Martin Bossert and Daniel Augot for discussions on Power decoding and this pa¬ 
per. The author gratefully acknowledges the support of the Digiteo foundation, 
project IdealCodes while he was with Inria, and also, while the author was with 
Ulm University, the support of the German Research Gouncil “Deutsche Forschungs- 
gemeinschaft” (DFG) under grant BO 867/22-1. 


References 

|1] A. Ahmed, R. Koetter, and N. R. Shanbhag. VLSI Architectures for Soft-Decision Decoding 
of Reed-Solomon Codes. IEEE Trans. Inf. Theory., 57(2):648-667, Feb. 2011. 

|2] M. Alekhnovich. Linear Diophantine Equations Over Polynomials and Soft Decoding of 
Reed-Solomon Codes. IEEE Trans. Inf. Theory, 51(7):2257—2265, July 2005. 

|3] G. Baker and P. Graves-Morris. Fade approximants, volume 59. Cambridge Univ. Press, 1996. 

|4] P. Beelen and K. Brander. Key equations for list decoding of Reed-Solomon codes and how 
to solve them. J. Symb. Comp., 45(7):773—786, 2010. 

[5] P. Beelen, T. Hpholdt, J. S. R. Nielsen, and Y. Wu. On Rational Interpolation-Based List- 
Decoding and List-Decoding Binary Goppa Codes. IEEE Trans. Inf. Theory, 59(6) :3269—3281, 
June 2013. 

|6] E. R. Berlekamp. Algebraic Coding Theory. Aegean Park Press, 1968. 

[7] M. Chowdhury, C.-P. Jeannerod, V. Neiger, E. Schost, and G. Villard. Faster Algorithms for 
Multivariate Interpolation With Multiplicities and Simultaneous Polynomial Approximations. 
IEEE Trans. Inf. Theory, 61(5):2370-2387, May 2015. 

[8] H. Cohn and N. Heninger. Ideal forms of Coppersmith’s theorem and Guruswami-Sudan list 
decoding. arXiv, 1008.1284, 2010. 

[9] P. Fitzpatrick. On the Key Equation. IEEE Trans. Inf. Theory, 41(5):1290—1302, 1995. 

[10] S. Gao. A New Algorithm for Decoding Reed-Solomon Codes. In Communications, Informa¬ 
tion and Network Security, number 712 in S. Eng. and Comp. Sc., pages 55-68. Springer, Jan. 
2003. 

[11] P. Giorgi, C. Jeannerod, and G. Villard. On the Complexity of Polynomial Matrix Computa¬ 
tions. In Proc. of ISSAC, pages 135—142, 2003. 

[12] Gottfried Ungerbock. Improved burst-error correction by joint decoding of interleaved RS 
codes. In Munich Workshop on Coding and Modulation, July 2015. 

[13] S. Gupta, S. Sarkar, A. Storjohann, and J. Valeriote. Triangular -basis decompositions and 
derandomization of linear algebra algorithms over. J. Symb. Comp., 47(4):422-453, Apr. 2012. 

[14] V. Guruswami and M. Sudan. Improved Decoding of Reed-Solomon Codes and Algebraic- 
Geometric Codes. IEEE Trans. Inf. Theory, 45(6):1757—1767, 1999. 

[15] S. M. Johnson. A New Upper Bound for Error-Correcting Codes. IEEE Trans. Inf. Theory, 
46:203-207, 1962. 

[16] T. Kailath. Linear Systems. Prentice-Hall, 1980. 

[17] R. Kotter and A. Vardy. Algebraic Soft-Decision Decoding of Reed-Solomon Codes. IEEE 
Trans. Inf. Theory, 49(ll):2809-2825, 2003. 

[18] R. Kotter and A. Vardy. A Complexity Reducing Transformation in Algebraic List Decoding 
of Reed-Solomon Codes. In Proc. of IEEE ITW, 2003. 


28 


JOHAN S. R. NIELSEN 


[19] K. Lee and M. E. O’Sullivan. List Decoding of Reed—Solomon Codes from a Grobner Basis 
Perspective. J. Symb. Comp., 43(9):645 — 658, 2008. 

[20] K. Lee and M. E. O’Sullivan. List decoding of Hermitian codes using Grobner bases. J. Symb. 
Comp., 44(12):1662-1675, 2009. 

[21] W. Li, J. S. R. Nielsen, and V. R. Sidorenko. On Decoding of Interleaved Chinese Remainder 
Codes. In Proc. of MTNS, 2014. Extended abstract. 

[22] M. Mohamed, S. Rizkalla, H. Zoerlein, and M. Bossert. Deterministic Compressed Sensing 
with Power Decoding for Complex Reed-Solomon Codes. In Proc. of SCC, 2015. 

[23] T. Mulders and A. Storjohann. On Lattice Reduction for Polynomial Matrices. J. Symb. 
Comp., 35(4):377-401, 2003. 

[24] J. Nielsen and P. Beelen. Sub-Quadratic Decoding of One-Point Hermitian Codes. IEEE 
Trans. Inf. Theory, 61(6):3225—3240, June 2015. 

[25] J. S. R. Nielsen. Generalised Multi-sequence Shift-Register Synthesis using Module Minimi¬ 
sation. In Proc. of IEEE ISIT, pages 882-886, 2013. 

[26] J. S. R. Nielsen. List Decoding of Algebraic Codes. PhD thesis. Technical University of Den¬ 
mark, 2013. 

[27] J. S. R. Nielsen. Power Decoding of Reed-Solomon Codes Revisited. In Proc. of ICMCTA, 
Sept. 2014. 

[28] J. S. R. Nielsen. Power Decoding of Reed-Solomon Up to the Johnson Radius. In Proc. of 
ACCT, Sept. 2014. 

[29] J. S. R. Nielsen and A. Storjohann. Algorithms for Simultaneous Pade Approximations. In 
Proc. of ISSAC, Feb. 2016. Submitted. 

[30] Z. Olesh and A. Storjohann. The vector rational function reconstruction problem. In Proc. of 
WWCA, pages 137-149, 2006. 

[31] R. Roth. Introduction to Coding Theory. Cambridge Univ. Press, 2006. 

[32] R. Roth and G. Ruckenstein. Efficient Decoding of Reed-Solomon Codes Beyond Half the 
Minimum Distance. IEEE Trans. Inf. Theory, 46(1):246 -257, 2000. 

[33] S. Sarkar and A. Storjohann. Normalization of Row Reduced Matrices. In Proc. of ISSAC, 
pages 297-304. ACM, 2011. 

[34] G. Schmidt, V. Sidorenko, and M. Bossert. Decoding Reed-Solomon Codes Beyond Half the 
Minimum Distance Using Shift-Register Synthesis. In Proc. of IEEE ISIT, pages 459-463, 
2006. 

[35] G. Schmidt, V. Sidorenko, and M. Bossert. Collaborative Decoding of Interleaved 
Reed-Solomon Codes and Concatenated Code Designs. IEEE Trans. Inf. Theory, 55(7):2991— 
3012, 2009. 

[36] G. Schmidt, V. Sidorenko, and M. Bossert. Syndrome Decoding of Reed-Solomon Codes 
Beyond Half the Minimum Distance Based on Shift-Register Synthesis. IEEE Trans. Inf. 
Theory, 56(10):5245-5252, 2010. 

[37] V. Sidorenko and M. Bossert. Fast skew-feedback shift-register synthesis. Designs, Codes and 
Cryptography, 70(l-2):55-67, Jan. 2014. 

[38] V. Sidorenko and G. Schmidt. A Linear Algebraic Approach to Multisequence Shift-Register 
Synthesis. Problems of Information Transmission, 47(2):149-165, 2011. 

[39] W. A. Stein et al. SageMath Software, http://www.sagemath.org. 

[40] M. Sudan. Decoding of Reed-Solomon Codes beyond the Error-Correction Bound. J. Com¬ 
plexity, 13(1):180-193, 1997. 

[41] Y. Sugiyama, M. Kasahara, S. Hirasawa, and T. Namekawa. A Method for Solving Key 
Equation for Decoding Goppa Codes. Information and Control, 27(l):87-99, 1975. 

[42] P. Trifonov and M. Lee. Efficient Interpolation in the Wu List Decoding Algorithm. IEEE 
Trans. Inf Theory, 58(9):5963-5971, 2012. 

[43] J. von zur Gathen and J. Gerhard. Modern Computer Algebra. Cambridge Univ. Press, 3rd 
edition, 2012. 

[44] A. Wachter-Zeh, A. Zeh, and M. Bossert. Decoding interleaved Reed-Solomon codes beyond 
their joint error-correcting capability. Designs, Codes and Cryptography, 71(2):261-281, July 
2012. 

[45] Y. Wu. New List Decoding Algorithms for Reed-Solomon and BCH Codes. IEEE Trans. Inf. 
Theory, 54(8):3611-3630, 2008. 

[46] A. Zeh, C. Centner, and D. Augot. An Interpolation Procedure for List Decoding Reed- 
Solomon Codes Based on Generalized Key Equations. IEEE Trans. Inf. Theory, 57(9):5946— 
5959, 2011. 


POWER DECODING RS CODES 


29 


[47] A. Zeh, A. Wachter, and M. Bossert. Unambiguous Decoding of Generalized Reed—Solomon 
Codes Beyond Half the Minimum Distance. In Proc. of IZS, 2012. 

[48] W. Zhou and G. Labahn. Efficient algorithms for order basis computation. J. Symb. Comp., 
47(7):793-819, July 2012. 

E-mail address: jsrn@jsrii.dk 


